[openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)

Sean Dague sean at dague.net
Mon Jan 4 13:21:35 UTC 2016

On 12/30/2015 03:23 PM, Farr, Kaitlin M. wrote:
> All,
> Please reply or send me an email if you are using the ConfKeyManager
> (fixed-key key manager) in deployment for volume encryption or
> ephemeral storage encryption. You can check this by looking at the
> [keymgr] section, api_class entry of nova.conf or cinder.conf. The
> ConfKeyManager was only intended for testing and I am working on
> deprecating it. I would like to gauge the number of people using
> that backend, because it may affect the deprecation strategy.
> This is the start of the effort to replace the duplicated key manager
> code with Castellan [1], a key manager interface library that allows
> the user to swap out different backends, such as Barbican. While
> Castellan is based on the key managers built into Nova and Cinder, it
> does not have the fixed-key backend. That backend is insecure. A single
> key is used for all volumes. If the key is compromised, all of the
> encrypted data is easily decrypted. See Joel Coffman's comments on the
> Nova spec [2]. Deprecating the fixed-key key manager would need to
> occur before Castellan is integrated.
> Again, please let me know if you use the ConfKeyManager and you
> actively use the volume encryption and encrypted cinder volume features
> in a deployment
> Other feedback is also welcome.
> I am also creating a separate thread with this info on the operators
> mailing list.
> Thanks,
> Kaitlin Farr
> 1. Castellan source code. https://github.com/openstack/castellan
> 2. Castellan integration Nova spec. https://review.openstack.org/#/c/247561/
> 3. Castellan integration Cinder spec. https://review.openstack.org/#/c/247577/

The fixed key manager is useful for easy testing (we're using it in the
gate in places where barbican isn't available). Is there anything
equivalent with Catellan?


Sean Dague

More information about the OpenStack-dev mailing list